RE: W3C Web Crypto - classifying issues - a new proposal

Hi Ryan,

Thanks for your feedback. 

I agree with you that priorities are the main important things to agree on in order to progress and have the group focusing on solving issues, one by one. I did not believe that I changed the already discussed priority, except that I have been allocated new priorities in new domain.

On the domain re-arrangement, you gave your view during our call, but other participants (Netflix and Microsoft) suggested another consensual proposal. I think we have to take into account here what was said. I had the feeling that it was not a strong problem to proceed so. In addition, as you mentioned this is an artificial way to classify issues and if we believe that we need to progress on an issue with is classified in another domain - due to dependency, no problem, we can do that. 

Now on working on two different waves, I did not have in mind to multiply our conf calls - I don't want to kill people enthusiast by overloading. If you believe we cant discuss two issue domains at the same time. Lets choose one and start solving it. 

>From your feedback, I suggest the following unique domain priority: crypto domain and the 3 associated issues 

ISSUE-36	Semantics for key generation versus key derivation	high
ISSUE-29	Handling of block encryption modes and padding	medium
ISSUE-27	Specification of AES-CTR mode counter bits	

What do you think ?

Regards,
Virginie


-----Original Message-----
From: Ryan Sleevi [mailto:sleevi@google.com] 
Sent: vendredi 21 septembre 2012 22:01
To: GALINDO Virginie
Cc: public-webcrypto@w3.org; Wendy Seltzer; Harry Halpin
Subject: Re: W3C Web Crypto - classifying issues - a new proposal

On Tue, Sep 18, 2012 at 3:03 AM, GALINDO Virginie <Virginie.GALINDO@gemalto.com> wrote:
> Dear all,
>
>
>
> You will find attached a new version of a table for structuring our 
> ISSUES, together with a priority proposal. The dependency still have 
> to be worked out.
>
> Please note that the exercise here is just to treat issues from a 
> domain all together. As suggested in my Take Away, lets start with 
> high priority crypto ISSUE and progress on that domain to help 
> implementers. This does not prevent us from starting a second wave, 
> e.g. functional or key description (that I have generated from key and access control domains).

Could you explain the criteria you used to determine priority here? It looks like it has been changed somewhat significantly from the previous version, and I don't see any discussion on the mailing list or during our last telecon to explain why the changes.

>
>
>
> Any comment on this new structure of issues ?

As mentioned on the telecon, I still believe it's a mistake to conflate key definitions and access control. I appreciate the close relationship they are, but I still believe they represent distinct sets of challenges. That some members have expressed a desire to disregard the same origin policy I believe highlights this, since such a discussion is wholly independent on "what makes a key a key" and is directly related to the security properties.

>
> Any volunteer to work on dependency with me ?

As mentioned on IRC during the telecon, I do not think these categories are necessarily exclusive. That is, categories are more like a set of tags, and the domain is just highlighting the 'closest'
domain.

Within that, I don't think there is a matter of dependency ordering.
Discussions on a later issue may fundamentally alter a former issue.
Trying to order them into some structure of dependencies I think will just end up taking time, while not necessarily adding value.

I suspect it's more important that we establish and agree upon the priorities, since I think those are most blocking towards getting progress done.

>
> Any strong opinion on treating two "waves" in parallel ?

I do not think we will be able to limit the mailing list discussions to just one or two topics, nor do I think it would be helpful to do so.
Since we cannot pursue parallel discussions on a single telecon, if this is a proposal to start a twice-weekly telecon, I'd be concerned about the ability to make progress in either. I'm not sure the time/value trade-off would be productive.

So I'm left being unclear on what you mean by this.

I think the most important part to making progress on any of these issues is that people begin proposing strawman proposals that will address their needs. The ISSUES have tried to capture what members have expressed desire for or concerns of, but in the absence of proposals, I fear we'll continually discuss how "This would be nice", without actually making progress, and worse, that members will continue to add new features without suggesting how their concerns can be resolved.

Received on Friday, 21 September 2012 20:22:22 UTC